System and method configured to commission and decommission endpoint devices using steganography

The present disclosure relates generally to commissioning and decommissioning computer-based apparatus, and, more particularly, to a system and method configured to commission and decommission endpoint devices using steganography.

In organizations, many computer-based endpoint devices are connected to and through a network. Each endpoint device or processes, applications, agents, modules, and sub-systems of such an endpoint device is configured by instructions and settings from a system administrator, so as to commission or decommission the endpoint device or processes, applications, agents, modules, and sub-systems thereof.

The process of commissioning and decommissioning such endpoint devices can be time-consuming and complex. If such commissioning and decommissioning are not handled in a secure manner, sensitive information can potentially leak or cause an impact to the security of the organization. In addition, such commissioning and decommissioning are often performed manually, and so can be time-consuming. Accordingly, another major factor that could jeopardize the organization is human error, which is a common cause of problems in any process for the commissioning and decommissioning of such endpoint devices.

The instructions sent from the system administrator can be sent to a client-side computer-based agent of the endpoint device. The client-side computer-based agent then responds to such instructions to perform the necessary procedures and sub-routines to commission or decommission the endpoint device or processes, applications, agents, modules, and sub-systems of the endpoint device. However, such transmission of instructions can be intercepted by third-parties, allowing the third-party to view or tamper with the commissioning and decommissioning of endpoint devices. Accordingly, the security of the commissioning and decommissioning can be compromised.

One approach for securely commissioning and decommissioning endpoint devices is to add a layer of security to the commissioning and decommissioning process, such as transmitting such configuration instructions using secure communication techniques. According to an embodiment consistent with the present disclosure, a system and method are configured to commission and decommission an endpoint device using steganography by transmitting such configuration instructions steganographically embedded in a carrier file. The configuration instructions reconfigure the endpoint device to commission or decommission the endpoint device or a component thereof.

In an embodiment, a steganographic system comprises a hardware-based processor, a memory, a communication interface, and a set of modules. The memory is configured to store operating instructions and is configured to provide the operating instructions to the hardware-based processor. The communication interface is configured to establish a communication channel to an endpoint device. The set of modules is configured to implement the operating instructions provided to the hardware-based processor. The set of modules includes a steganographic module configured to receive configuration instructions, to generate a secret message corresponding to the configuration instructions, and to steganographically embed the secret message in a carrier file. The communication interface transmits the carrier file with the embedded instructions via the communication channel to the endpoint device. The endpoint device is configured to extract the secret message from the carrier file, and to execute the configuration instructions in the secret message, thereby reconfiguring the endpoint device based on the configuration instructions.

The carrier file can be a media file. The media file can be selected from the group consisting of: a text file, an image file, an audio file, and a video file. The steganographic module can steganographically embed the secret message in an image file as the media by altering at least one pixel of the image file. The steganographic module can steganographically embed the secret message in the image file using Least Significant Bit (LSB) insertion to encode the secret message by altering an LSB of the at least one pixel of the image file. Alternatively, the steganographic module can steganographically embed the secret message in an audio file as the media file using audio steganography to encode the secret message by altering at least one LSB of the audio file. The configuration instructions can reconfigure the endpoint device to commission a component of the endpoint device. Alternatively, the configuration instructions can reconfigure the endpoint device to decommission a component of the endpoint device.

In another embodiment, a system comprises a network, an endpoint device, and a steganographic sub-system. The endpoint device is operatively connected to the network, and includes a first hardware-based processor, a first memory, and a first set of modules. The first memory is configured to store first operating instructions and configured to provide the first operating instructions to the first hardware-based processor. The first set of modules is configured to implement the first operating instructions provided to the first hardware-based processor. The first set of modules includes a first steganographic module. The steganographic sub-system is operatively connected to the endpoint device through the network. The steganographic sub-system includes a second hardware-based processor, a second memory, a communication interface, and a second set of modules. The second memory is configured to store second operating instructions and is configured to provide the second operating instructions to the second hardware-based processor. The communication interface is configured to establish a communication channel through the network to the endpoint device. The second set of modules is configured to implement the second operating instructions provided to the second hardware-based processor. The second set of modules includes a second steganographic module configured to receive configuration instructions, to generate a secret message corresponding to the configuration instructions, and to steganographically embed the secret message in a carrier file. The communication interface transmits the carrier file with the embedded instructions via the communication channel to the endpoint device. The first steganographic module of the endpoint device is configured to extract the secret message from the carrier file. The first hardware-based processor executes the configuration instructions in the secret message, thereby reconfiguring the endpoint device based on the configuration instructions.

The carrier file can be a media file. The media file can be selected from the group consisting of: a text file, an image file, an audio file, and a video file. The second steganographic module can steganographically embed the secret message in an image file as the media by altering at least one pixel of the image file. The second steganographic module steganographically can embed the secret message in the image file using Least Significant Bit (LSB) insertion to encode the secret message by altering an LSB of the at least one pixel of the image file. Alternatively, the second steganographic module can steganographically embed the secret message in an audio file as the media file using audio steganography to encode the secret message by altering at least one LSB of the audio file. The configuration instructions can reconfigure the endpoint device to commission a component of the endpoint device. Alternatively, the configuration instructions can reconfigure the endpoint device to decommission a component of the endpoint device.

In a further embodiment, a method comprises receiving configuration instructions at a steganographic module, generating a secret message corresponding to the configuration instructions, steganographically embedding the secret message in a carrier file, transmitting the carrier file with the embedded instructions to the endpoint device, receiving the carrier file at the endpoint device, extracting the secret message from the carrier file, and executing the configuration instructions in the secret message, thereby reconfiguring the endpoint device based on the configuration instructions.

The configuration instructions can reconfigure the endpoint device to commission a component of the endpoint device. Alternatively, the configuration instructions can reconfigure the endpoint device to decommission a component of the endpoint device. The carrier file can be a media file selected from the group consisting of: a text file, an image file, an audio file, and a video file.

Any combinations of the various embodiments and implementations disclosed herein can be used in a further embodiment, consistent with the disclosure. These and other aspects and features can be appreciated from the following description of certain embodiments presented herein in accordance with the disclosure and the accompanying drawings and claims.

It is noted that the drawings are illustrative and are not necessarily to scale.

Example embodiments consistent with the teachings included in the present disclosure are directed to a systemand methodconfigured to commission and decommission endpoint devices using steganography. By using steganographic methods and techniques to conceal configuration instructions, used to commission or decommission an endpoint device, in a message to the endpoint device, the systemand methodcan securely send such configuration instructions without being detected by unauthorized parties. The configuration instructions can include steps for disabling access of an endpoint device to the network, wiping storage in an endpoint device, and uninstalling any specific software and applications.

As shown in, the systemincludes a steganographic system, a network, and at least one endpoint device,,. The steganographic systemis operatively connected to the network. The steganographic systemcan be a sub-system of the overall system. The networkis operatively connected to the at least one computer-based endpoint device,,. Each endpoint device,,can be a client device of an organization. The networkcan be the Internet connecting each endpoint device,,to devices such as website servers outside of the organization, as well as to other computer devices of the organization, such as a server, an intranet, or other client devices. Alternatively, the networkcan be an intranet of the organization connecting each endpoint device,,to other computer devices of the organization, such as an intranet server or other client devices. Each endpoint device,,includes a respective computer-based process,,. Each process,,can include an application, an agent, a module, or a sub-system of the respective endpoint device,,. Through the network, the steganographic systemis operatively connected to each endpoint device,,and the respective computer-based processes,,.

The steganographic systemincludes a server, a communication interface, a hardware-based processor, a memoryconfigured to store operating instructions and configured to provide the operating instructions to the hardware-based processor, and an input/output device. The steganographic systemcan include a set of modules configured to implement the operating instructions provided to the hardware-based processor. The servercan be a central server of the organization, with the at least one endpoint device,,being a client device associated with the server. As described in greater detail below, the steganographic systemcan generate and output, through the communication interface, a carrier fileincluding a secret messagehaving configuration instructions. The communication interfaceis configured to establish a communication channel through the networkto at least one endpoint device,,. The carrier filecan be a data file in a predetermined format. Alternatively, the carrier filecan be a data signal representing the data of a data file generated by the steganographic system. The carrier fileis transmitted through the networkto at least one of the endpoint devices,,to reconfigure the at least one endpoint device,,using the configuration instructions from the secret messageto commission or decommission the at least one endpoint device,,or a component thereof. For example, without loss of generality, the steganographic systemtransmits the carrier fileto the endpoint deviceto commission or decommission the endpoint device, or at least one application, agent, module, or sub-system of the endpoint device. As described in greater detail below, the carrier fileincludes a secret messagegenerated by a steganographic moduleof the server. The steganographic moduleis configured to implement the operating instructions provided to the hardware-based processorfrom the memory.

Each endpoint device,,is operatively connected to the network. Each endpoint device,,can include a hardware-based processor and a memory configured to store operating instructions and configured to provide the operating instructions to the hardware-based processor of the respective endpoint device,,. Each endpoint device,,can include a set of modules configured to implement the operating instructions provided to the hardware-based processor of the respective endpoint device,,. The set of modules of the respective endpoint device,,includes a respective steganographic module configured to extract the secret messagein the carrier file.

illustrates a schematic of a computing deviceincluding a processorhaving code therein, a memory, and a communication interface. Optionally, the computing devicecan include a user interface, such as an input device, an output device, or an input/output device. The processor, the memory, the communication interface, and the user interfaceare operatively connected to each other via any known connections, such as a system bus, a network, etc. Any component, combination of components, and modules of the systemincan be implemented by a respective computing device. For example, each of the steganographic system, the network, the endpoint devices,,, the server, the communication interface, the processor, the memory, the input/output device, and the steganographic moduleshown incan be implemented by a respective computing deviceshown inand described below.

It is to be understood that the computing devicecan include different components. Alternatively, the computing devicecan include additional components. In another alternative embodiment, some or all of the functions of a given component can instead be carried out by one or more different components. The computing devicecan be implemented by a virtual computing device. Alternatively, the computing devicecan be implemented by one or more computing resources in a cloud computing environment. Additionally, the computing devicecan be implemented by a plurality of any known computing devices.

The processorcan be a hardware-based processor implementing a system, a sub-system, or a module. The processorcan implement the processorin. The processorcan include one or more general-purpose processors. Alternatively, the processorcan include one or more special-purpose processors. The processorcan be integrated in whole or in part with the memory, the communication interface, and the user interface. In another alternative embodiment, the processorcan be implemented by any known hardware-based processing device such as a controller, an integrated circuit, a microchip, a central processing unit (CPU), a microprocessor, a system on a chip (SoC), a field-programmable gate array (FPGA), or an application-specific integrated circuit (ASIC). In addition, the processorcan include a plurality of processing elements configured to perform parallel processing. In a further alternative embodiment, the processorcan include a plurality of nodes or artificial neurons configured as an artificial neural network. The processorcan be configured to implement any known artificial neural network, including a convolutional neural network (CNN).

The memorycan be implemented as a non-transitory computer-readable storage medium such as a hard drive, a solid-state drive, an erasable programmable read-only memory (EPROM), a universal serial bus (USB) storage device, a floppy disk, a compact disc read-only memory (CD-ROM) disk, a digital versatile disc (DVD), cloud-based storage, or any known non-volatile storage. The memorycan implement the memoryin.

The code of the processorcan be stored in a memory internal to the processor. The code can be instructions implemented in hardware. Alternatively, the code can be instructions implemented in software. The instructions can be machine-language instructions executable by the processorto cause the computing deviceto perform the functions of the computing devicedescribed herein. Alternatively, the instructions can include script instructions executable by a script interpreter configured to cause the processorand computing deviceto execute the instructions specified in the script instructions. In another alternative embodiment, the instructions are executable by the processorto cause the computing deviceto execute an artificial neural network. The processorcan be implemented using hardware or software, such as the code. The processorcan implement a system, a sub-system, or a module, as described herein.

The memorycan store data in any known format, such as databases, data structures, data lakes, or network parameters of a neural network. The data can be stored in a table, a flat file, data in a filesystem, a heap file, a B+ tree, a hash table, or a hash bucket. The memorycan be implemented by any known memory, including random access memory (RAM), cache memory, register memory, or any other known memory device configured to store instructions or data for rapid access by the processor, including storage of instructions during execution.

The communication interfacecan be any known device configured to perform the communication interface functions of the computing devicedescribed herein. The communication interfacecan implement the communication interfacein. The communication interfacecan implement wired communication between the computing deviceand another entity. Alternatively, the communication interfacecan implement wireless communication between the computing deviceand another entity. The communication interfacecan be implemented by an Ethernet, Wi-Fi, Bluetooth, or USB interface. The communication interfacecan transmit and receive data over a network and to other devices using any known communication link or communication protocol.

The user interfacecan be any known device configured to perform user input and output functions. The user interfacecan implement the input/output devicein. The user interfacecan be configured to receive an input from a user. Alternatively, the user interfacecan be configured to output information to the user. The user interfacecan be a computer monitor, a television, a loudspeaker, a computer speaker, or any other known device operatively connected to the computing deviceand configured to output information to the user. A user input can be received through the user interfaceimplementing a keyboard, a mouse, or any other known device operatively connected to the computing deviceto input information from the user. Alternatively, the user interfacecan be implemented by any known touchscreen. The computing devicecan include a server, a personal computer, a laptop, a smartphone, or a tablet.

Referring to, the methodincludes receiving configuration instructions, such as commissioning or decommissioning instructions, in step. The configuration instructions are configured to commission or decommission the endpoint device. The configuration instructions can be generated in stepfrom inputs received through the input/output devicefrom a system administrator. For example, using the input/output device, the system administrator can input commands to the serverdesignating the endpoint device,,to be commissioned or decommissioned. Alternatively, instead of commissioning or decommissioning an entire endpoint device,,, the commands can designate a particular application, agent, module, or a sub-system of a designated endpoint device, with the commands commissioning or decommissioning the particular application, agent, module, or a sub-system. In addition, using the input/output device, the system administrator can input commands to the serverwhich specify whether the endpoint device or components thereof are to be commissioned, or alternatively are to be decommissioned. The servergenerates the configuration instructions from the commands input by the system administrator through the input/output device.

In an embodiment, the system administrator inputs such commands through the input/output devicein any known format, such as BASH, POWERSHELL, or JAVASCRIPT commands. The format of such commands depends on the configuration and specifications of the target endpoint device and a supported scripting language. Alternatively, the commands can be input through the input/output deviceusing any known programming language or script. The commands can instruct the endpoint device to configure the networkand components thereof such as routers, switches and firewall, the commands can also implement a security configuration including enabling a secret or password-based encryption. The commands can also implement networking monitoring for status and performance. The exact command can vary depending on the network, the operating system of the system, and a device command list.

Alternatively, the input/output devicecan include a user interface, such as a graphic user interface (GUI). The GUI can display a pull-down menu to the system administrator, allowing the system administrator to select the endpoint device or components thereof to be commissioned or decommissioned. In addition, the GUI can display another pull-down menu to select whether the endpoint device or components thereof are to be commissioned, or alternatively are to be decommissioned. The GUI can further display a control icon or button, for example, labelled “START” to initiate the generation and transmission of the secret messagein steps-. Alternatively, the configuration instructions can be generated automatically by the serverusing configuration data stored in the memory. The configuration data can be used by the serverto generate the configuration instructions to automatically commission or decommission the particular endpoint device or components thereof.

The methodgenerates the secret messagefrom the received configuration instructions in stepusing the server. The secret messageincluding commands or scripts can be in a text file format. Alternatively, the secret messagecan be in any known file format. The methodthen embeds the secret messageinto the carrier filein stepusing the steganographic moduleimplementing known steganographic methods and techniques. The carrier filecan be a media file. The media file can be stored in a media library stored in the memoryto be used to convey the secret message. In one embodiment, the carrier filecan be text file in a predetermined text file format. For example, the carrier filecan be in a Rich Text Format (RTF). In another embodiment, the carrier filecan be in a HyperText Markup Language (HTML) format. Alternatively, the carrier filecan be in any known text format.

In another embodiment, the carrier filecan be a picture or image file. For example, the carrier filecan be in the Joint Photographic Experts Group (JPEG) format. Alternatively, the carrier filecan be in any known image format. Using the steganographic module, the secret messageis embedded in an image file as the carrier filein stepusing Least Significant Bit (LSB) insertion, which involves altering the least significant bit of each pixel in an image file as the carrier fileto embed the secret message. In a further embodiment, the steganographic moduleembeds the secret messageinto an image file using an “Invisible Ink” technique. Using known “Invisible Ink” software, applications, or methods, the steganographic modulehides the secret messagewithin an image file as the carrier filein a way that is not detectable to the naked eye.

In another embodiment, the carrier filecan be an audio file. The secret messageis embedded into the audio file by the steganographic moduleusing audio steganography, which involves embedding the secret messagein the least significant bits of an audio file as the carrier file. In a further embodiment, the carrier filecan be a video file. For example, the carrier filecan be in the Moving Picture Experts Group (MPEG) format. Alternatively, the carrier filecan be in any known video format.

Using the commands input by the system administrator or by configuration data as described above, the carrier fileis transmitted to a particular endpoint device,,to be commissioned or decommissioned. Alternatively, the carrier filecan be tagged or associated with a routing message indicating the endpoint device,,or a component thereof to be commissioned or decommissioned. For example, the servercan respond to the input commands or configuration data to concatenate the carrier filewith the routing message. In response to the routing message, the servercan direct the communication interfaceto send the carrier fileto the designated endpoint device,,through the network. For example, the routing message can designate the carrier filewith the embedded secret messageto be sent to the endpoint device.

The methodthen transmits the carrier fileto the endpoint deviceas the designated endpoint device in step. The networktransmits the carrier fileto the designated endpoint device. For example, the transmission of the carrier filecan be performed using a secure communication protocol, such as an agent-based service provisioned to use the Hypertext Transfer Protocol Secure (HTTPS) protocol or other known secure communication protocols. The designated endpoint device receives the carrier filein step, and a respective process of the designated endpoint device extracts the secret messagefrom the carrier filein step. The process can be a client-side agent. Alternatively, the process can be an application. In another embodiment, the process can be a module. The process can include a client-side steganographic module configured to extract the secret messagefrom the carrier file. In the example above, the processof the endpoint deviceextracts the secret messagefrom the carrier file. As described above, the secret messageincludes the configuration instructions. The client-side steganographic module of the processcan use known steganographic detection techniques to extract the secret message. For example, a steganographic detection technique reverses the steganographic technique used to embed the secret message, and so the secret messageis revealed for use by the processof the endpoint device.

Alternatively, the servercan tag or associate the carrier filewith a steganographic identification message which indicates the type of steganographic technique used to embed the secret messageinto the carrier file. For example, the steganographic identification message can be concatenated with the carrier fileby the server. Using the steganographic identification message, the client-side steganographic module of the processcan use known the corresponding steganographic technique to extract the secret message.

The methodexecutes the extracted configuration instructions from the secret messagein stepto commission or decommission the endpoint deviceor a component thereof using the process. Using the systemand method, the configuration instructions used to commission or decommission an endpoint device or a component thereof can be transmitted securely in a message to the endpoint device without being detected by unauthorized parties. The endpoint devices,,of an organization or components thereof can be properly commissioned and decommissioned in a secure and controlled manner. For example, a system administrator can control the commissioning and decommissioning of components in an organization using a central serverinstead of manually controlling each endpoint device,,to be commissioned or decommissioned.

Accordingly, such proper commissioning and decommissioning of components of the organization can help to enhance the overall security of the organization, increase efficiency in managing components of the organization, improve the accuracy of the commissioning and decommissioning, and reduces costs by managing such commissioning and decommissioning.

Portions of the methods described herein can be performed by software or firmware in machine readable form on a tangible or non-transitory storage medium. For example, the software or firmware can be in the form of a computer program including computer program code adapted to cause the system to perform various actions described herein when the program is run on a computer or suitable hardware device, and where the computer program can be embodied on a computer readable medium. Examples of tangible storage media include computer storage devices having computer-readable media such as disks, thumb drives, flash memory, and the like, and do not include propagated signals. Propagated signals can be present in a tangible storage media. The software can be suitable for execution on a parallel processor or a serial processor such that various actions described herein can be carried out in any suitable order, or simultaneously.

It is to be further understood that like or similar numerals in the drawings represent like or similar elements through the several figures, and that not all components or steps described and illustrated with reference to the figures are required for all embodiments or arrangements.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms “a,” “an,” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “contains”, “containing”, “includes”, “including,” “comprises”, and/or “comprising,” and variations thereof, when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

Terms of orientation are used herein merely for purposes of convention and referencing and are not to be construed as limiting. However, it is recognized these terms could be used with reference to an operator or user. Accordingly, no limitations are implied or to be inferred. In addition, the use of ordinal numbers (e.g., first, second, third) is for distinction and not counting. For example, the use of “third” does not imply there is a corresponding “first” or “second.” Also, the phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting. The use of “including,” “comprising,” “having,” “containing,” “involving,” and variations thereof herein, is meant to encompass the items listed thereafter and equivalents thereof as well as additional items.

While the disclosure has described several exemplary embodiments, it will be understood by those skilled in the art that various changes can be made, and equivalents can be substituted for elements thereof, without departing from the spirit and scope of the invention. In addition, many modifications will be appreciated by those skilled in the art to adapt a particular instrument, situation, or material to embodiments of the disclosure without departing from the essential scope thereof. Therefore, it is intended that the invention not be limited to the particular embodiments disclosed, or to the best mode contemplated for carrying out this invention, but that the invention will include all embodiments falling within the scope of the appended claims.

The subject matter described above is provided by way of illustration only and should not be construed as limiting. Various modifications and changes can be made to the subject matter described herein without following the example embodiments and applications illustrated and described, and without departing from the true spirit and scope of the invention encompassed by the present disclosure, which is defined by the set of recitations in the following claims and by structures and functions or steps which are equivalent to these recitations.